diff --git a/domain.te b/domain.te
index fc4cfd85a010d4c1d414aed32521cc0bf77113e1..19de0c0afd84c2719e7d83f834c904c905fc4460 100644
--- a/domain.te
+++ b/domain.te
@@ -350,6 +350,10 @@ neverallow {
   -zygote
   -installd
   -dex2oat
+  -system_server # TODO: The system server needs to create directories
+                 # and link files for split APK installs. This could perhaps be
+                 # removed if we made installd responsible for manipulating the
+                 # staging directory.
 } dalvikcache_data_file:file no_w_file_perms;
 
 # Only system_server should be able to send commands via the zygote socket
diff --git a/system_server.te b/system_server.te
index 0b18eb4b6db1d5dfcd3f2367c9c83b88307ccc25..5d1398ab1af960916e65c50c7a102d684bfc96f6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -16,6 +16,25 @@ allow system_server system_server_tmpfs:file execute;
 allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 
+# For PackageInstallerSession.
+#
+# All of these rules relate to the installation and compilation of split
+# APKs. Roughly, the process is as follows. The rules below only pertain
+# to step (3) of the process
+#
+# (1) Create a staging directory.
+# (2) Link existing APKs from the split
+#
+# (3) Link existing compiled oat files : This requires "create_dir_perms"
+# to create oat directories (foo/oat and foo/oat/x86), "relabelto" to
+# make sure they have the right label, and "link" to link files.
+#
+# (3) Invoke dex2oat to compile the updated / new split
+# (4) Rename the staging directory back to the final path.
+allow system_server dalvikcache_data_file:file link;
+allow system_server dalvikcache_data_file:dir relabelto;
+allow system_server dalvikcache_data_file:dir create_dir_perms;
+
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;